The way Alan Westin sees it, privacy is not so much a cause or a burden for corporate America as it is a balance\u2014one that he has spent the past four decades helping businesses negotiate. A professor emeritus of public law and government at Columbia University, Westin is regarded as a leading expert on information privacy, both by the Fortune 500 businesses that pay him to act as a consultant and by the Civil Libertarians who have occasionally accused him of being too sensitive to corporate needs.Westin, the founder and president of the Center for Social & Legal Research, a nonprofit think tank based in Hackensack, N.J., and publisher of the newsletter Privacy & American Business, has been a member of government privacy commissions, testified before legislative committees and regulatory agencies, written books about privacy, and conducted public opinion surveys quoted far and wide.\n\nAt a time when companies are trying to wrangle every penny they can out of existing customers\u2014customers who are increasingly fed up with targeted marketing campaigns\u2014CIO asked Westin to direct his attention to the role that the keeper of the customer database\u2014the CIO\u2014plays in managing this conflict. Senior Writer Sarah D. Scalet talked with Westin about that challenge.\n\n\n\n \n\n\n\n\n\n\n\n\n\nCIO: In terms of privacy protection, how has the role of the CIO changed over the years?\n\n \n\n\n\nAlan Westin: It used to be that whoever was in charge of the information function looked at hardware and software solutions, and the users would just tell her what to do in terms of how data was formatted or delivered. CIOs today adjudicate between marketing and customer relations managers\u2014who want data information brought in from third-party suppliers and want to produce detailed profiles of customers and projects\u2014and the chief privacy officer\u2014who advocates being careful to meet regulations at the state and federal levels.\n\n\n\n \n\n\n\n\n\n\n\n\n\nIt sounds like the CIO has to broker the relationship between those conflicting parties.\n\n \n\n\n\nYes, but I\u2019m a little concerned about using the word broker because it implies that CIOs have the command role, and they don\u2019t. The command role is going to be either the legal department or top management, which says, OK, we\u2019ve listened to the marketing people, we\u2019ve listened to the privacy officer, and this is what I, the top management, want you, the CIO, to do. I don\u2019t think the CIO is a referee.\n\nOpt-outs or opt-ins are where the rubber hits the road. The company says, If you don\u2019t want to receive this kind of material from us, check this box or call this toll-free number. That information goes into a system that the CIO administers. And against a database composed of 25 million credit card holders, the CIO needs to suppress marketing to the 100,000 or 3 million customers who have said, No, I don\u2019t want that communication. Obviously it raises huge data management issues.\n\nIf you get the marketing people and the privacy officer and the CIO together, they can say, We don\u2019t want to give up the opportunity to market related products to our existing marketing database, but we know that there\u2019s a small segment of customers who will be outraged if that happens. The company might set up the following options: 1. Customers can opt out of any contact other than the service delivery that they\u2019ve signed up for; or 2. They could opt out of any telemarketing calls but not opt out of written communication. The CIO\u2019s role is to show how refined programs like that can be implemented.\n\n\n\n \n\n\n\n\n\n\n\n\n\nWhat is the ultimate goal of this balancing act?\n\n \n\n\n\nThis act gets the maximum number of your customers comfortable with the way you are handling their information and presenting them with options.\n\n\n\n \n\n\n\n\n\n\n\n\n\nWhat about offering customers the chance to see the information in their records?\n\n \n\n\n\nThat raises a lot of complicated issues because what exactly is it that the consumer gets access to? If it\u2019s just a transaction, that\u2019s not a big problem. But behind transaction records is a marketing database. Most companies have added information from what\u2019s known as ZIP-plus-four databases, which will say that Alan Westin lives in a block in which the average house costs so much, and the ethnic make-up is such and such, and residents are mostly retired and so forth. The issue is, if I want to see what information a company has about me in my credit card file, do I get to see that? Most companies would turn purple at that idea. The Federal Trade Commission had a task force look at the issue, and it was unable to come to any firm conclusion because this issue divides the consumer groups and the business groups so fundamentally.\n\n\n\n \n\n\n\n\n\n\n\n\n\nHow does the USA Patriot Act affect the CIO\u2019s role?\n\n \n\n\n\nAn area that\u2019s going to be extremely important for CIOs is the whole question of compliance with demands from the government\u2019s new antiterrorist investigators, who want direct access to companies\u2019 consumer data, under the Patriot Act and CAPPS II [the Transportation Security Administration\u2019s new passenger screening system]. The government is given the legal right to ask for e-mail transactions, financial transactions and various kinds of telephone communications, and as a result, companies are going to be caught in the cross fire. On one hand, they want to comply with the government\u2019s requests because we all understand that this is not a phony danger. On the other hand, they have to worry about the trust of their customers; if customers feel that every time they give information to their bank or credit card company or insurance firm it\u2019s going to the government.\n\nWe\u2019re just beginning to say, What kind of a system should there be for giving the government access? In the past, that was always under very strict rules set by things such as the Right to Financial Privacy Act of 1978, which said that if the government wants to get that information, it must have a subpoena or a court order. The Patriot Act wiped that away. But where is the control? Where will the safeguards be? The CIO is going to be involved when the federal government comes to Delta Air Lines or American Airlines and says, We want this information from you, and we want it in 30 seconds. I don\u2019t expect the CIO to stand up and say no. The privacy officer has to raise all kinds of questions about what kind of audit trail should be created. (For more information, see "What to Do When Uncle Sam Wants Your Data" at www.cio.com\/printlinks.)\n\n\n\n \n\n\n\n\n\n\n\n\n\nIf you\u2019re talking about the competing interests of privacy and marketing and so on, when you insert an outside party like the government into the equation, it throws off whatever kind of balance the company was working toward.\n\n \n\n\n\nThat\u2019s correct. But that\u2019s what happened on Sept. 11. If we don\u2019t have access to this kind of information, then the likelihood of our being successful in controlling terrorism is going to be low. I think the Patriot Act is a justified piece of legislation. The issues are always the safeguards and the misuse of information. For example, DARPA\u2019s Total Information Awareness project was a thoughtless and overblown approach that somehow assumed that magic algorithms could be applied that would extract [meaning] from this enormous mass of private-sector data added to public data\u2014that somehow up would pop the bearded face of Osama bin Laden.\n\n\n\n \n\n\n\n\n\n\n\n\n\nHow big of an impact do you think the FTC\u2019s Do Not Call list will have on companies?\n\n \n\n\n\nPeople in very large numbers are going to sign up for that Do Not Call list, which is a registry of numbers that companies cannot call. However, it will take a high level of care on the CIO\u2019s part to help keep track of those numbers, and if a clerk gets careless or makes a mistake, it could get costly.\n\nIn a bigger sense, I think this is the beginning of the end of the targeted marketing era. That list is going to be a catalyst that moves companies into a whole consumer permission mode. If you think about it historically, until the 1980s, companies engaged in mass marketing\u2014newspapers, TV, radio and billboard displays\u2014then moved into target marketing. The idea was that we must know you to serve you; and we\u2019re going to collect a lot of profile information; and you should like it because after all we\u2019ll now know that you like to sail, so we\u2019ll tell you about sailboats, or if you like to go to Italy we\u2019ll tell you about Italian vacations. What companies didn\u2019t realize\u2014or if they did, they didn\u2019t care\u2014is that there comes a point where people get saturated by that kind of intrusive marketing. Between telemarketing and spam, you have about as fed up a public as I\u2019ve ever seen on any consumer issue. The strongest piece of evidence is the passage of the Do Not Call list against the immense lobbying of the direct-marketing industry and all its practitioners. Public anger was so great that politicians and legislators just had to respond.\n\n\n\n \n\n\n\n\n\n\n\n\n\nDo you consider yourself an advocate for privacy?\n\n \n\n\n\nI\u2019m a balance person. I identify dangers to privacy, but my solutions are much more about recognizing the competing values that need to be brought into some kind of harmony. I appreciate the roles of the American Civil Liberties Union, the Electronic Privacy Information Center and the Center for Democracy and Technology in always being the advocates of the total privacy solution, but I would never want to live under their regimes\u2014not that I mind their pointing out dangers in various kinds of new antisurveillance proposals.\n\nI\u2019m a Libra, which is the scales. On one hand this; on the other hand that. If you\u2019re a Libra, balance is what the stars have given you\u2014or cursed you to.